Windows 7 and 8 password hints

Interesting blog about decoding password hints from registry

http//blog.spiderlabs.com/2012/08/all-your-password-hints-are-belong-to-us.html#more

Nice find )

Though, if I may, there is no need to "decode" anything, nor to invoke .php malware similarities, nor to put together a quick Ruby script, the example hex string

6D 00 6F 00 6E 00 6B 00 65 00 79 00 73 00 20 00 65 00 61 00 74 00 2E 00 2E 00 2E 00

looks, more simply, like Unicode, and can be read in *any* hex editor/viewer/dumper
0x00000000 6d 00 6f 00 6e 00 6b 00 65 00 79 00 73 00 20 00 m.o.n.k.e.y.s. .
0x00000010 65 00 61 00 74 00 2e 00 2e 00 2e 00 e.a.t.......
or adding a FFFE in front of it

FF FE 6D 00 6F 00 6E 00 6B 00 65 00 79 00 73 00 20 00 65 00 61 00 74 00 2E 00 2E 00 2E 00

and open the "hex file" in Wordpad….

wink

jaclaz

Yeah, it's a little disappointing to me that these people who seem to be technical described UTF-16 as

I was a little disappointed thinking that the hint was encrypted in some way until I noticed the pattern of zeros. Having dealt with a fair amount of PHP malware in the last couple months, one of things the “baddies” do is chunk up their payload data into individual characters and then encode them in their ASCII numerical representation.

UTF-16 is hardly an obfuscation technique 😯

Useful to know where they're stored though.

I guess their issue was that it was a "hex string" not actually binary data though?

For fun, I'll just take this opportunity to assert Python's dominance over Ruby here ('s' is the hex string)

bytes.fromhex(s).decode("utf_16_le")
should do it D

RegRipper's samparse.pl plugin has had this for some time…

$hint =~ s/\00//g;

$hint =~ s/\00//g;

Perl Holding down shift and headbutting the keyboard to generate functioning code since 1987 D

Edit Also that won't work for any text stored any higher than the first 256 Unicode codepoints (so Chinese for example) right? And will REALLY break if it's a mixture of (for example) Latin and Chinese text.

I am perfectly okay with this…

It is called "career security". Let them enjoy the limelight, while I collect the paycheck.

Yeah, it's a little disappointing to me that these people who seem to be technical described UTF-16 as

I was a little disappointed thinking that the hint was encrypted in some way until I noticed the pattern of zeros. Having dealt with a fair amount of PHP malware in the last couple months, one of things the “baddies” do is chunk up their payload data into individual characters and then encode them in their ASCII numerical representation.

UTF-16 is hardly an obfuscation technique 😯

Useful to know where they're stored though.

I guess their issue was that it was a "hex string" not actually binary data though?

For fun, I'll just take this opportunity to assert Python's dominance over Ruby here ('s' is the hex string)

bytes.fromhex(s).decode("utf_16_le")
should do it D

Additionally, I seem to find unusual that the "test case" used such a plain password as "turnips" wink
http//wiki.answers.com/Q/What_fruits_and_vegetables_do_monkeys_eat

jaclaz

Additionally, I seem to find unusual that the "test case" used such a plain password as "turnips" wink
http//wiki.answers.com/Q/What_fruits_and_vegetables_do_monkeys_eat

jaclaz

Come on, these are security conscious people, it'll be turnips123…